CRA-ready: Integrating VEX into Open Source Workflows | Piotr Karwasz & Munawar Hafiz скачать в хорошем качестве

CRA-ready: Integrating VEX into Open Source Workflows | Piotr Karwasz & Munawar Hafiz

As VEX (Vulnerability Exploitability eXchange) becomes increasingly important for compliance frameworks and vulnerability triage, Open Source projects face a new challenge: not just generating VEX data, but keeping it accurate, contextual, and maintainable over time. While the CRA only requires manufacturers to provide “products without known exploitable vulnerabilities”, upstream projects that publish reliable exploitability information can significantly ease downstream compliance. At the same time, providing this data can increase trust, improve adoption, and help justify or even crowd-fund the ongoing maintenance efforts required to support Open Source security. This talk focuses on the real-world complexities of integrating VEX into an active OSS project: determining vulnerability reachability, assessing exploitability in specific code paths, handling contextual suppression, and keeping all of this in sync with frequent releases and dependency updates. These tasks are far more demanding than generating an SBOM, and are often beyond the capacity of volunteer maintainers without dedicated tooling. We will share lessons learned from introducing automated VEX generation in Apache Solr, replacing its previously hand-maintained VEX document. The session will cover: Practical friction points OSS maintainers face when adopting VEX How to integrate VEX generation into CI/CD pipelines Design and implementation of the VEX Generation ToolSet Balancing automation with project-specific security review processes Benefits and limitations encountered when introducing VEX at scale Attendees will leave with a concrete understanding of what it takes to operationalize VEX in an Open Source project, and how tooling can reduce the burden while improving compliance quality and accuracy. ____ This session was recorded during Code & Compliance - FOSDEM Edition, held on 29 January 2026 in Brussels. For more information about the Open Regulatory Compliance (ORC) Working Group and details on upcoming events, visit orcwg.org